Signature-based NIDS

• Most NIDS use signatures

• Like virus detection systems

• Pattern-match traffic against known signatures (patterns) of “bad” traffic

  • Lag in identifying signatures of new attacks
  • May need a new signature for each variant/implementation of an attack